Closed
Bug 246097
Opened 20 years ago
Closed 20 years ago
XPinstall whitelist additions [xpinstall not working]
Categories
(Core Graveyard :: Installer: XPInstall Engine, enhancement)
Core Graveyard
Installer: XPInstall Engine
Tracking
(Not tracked)
RESOLVED
WONTFIX
People
(Reporter: dveditz, Assigned: dveditz)
References
Details
bug 240552 added a whitelist to XPInstall. For the Mozilla suite the point was not to restrict functionality from friendly sites but to protect against unknown malicious sites. Since the XPInstall confirmation dialog will still always show up as the main security measure I'm happy adding additional mozilla developer sites in the short term. Unfortunately I didn't get any nominations in that bug before I fixed it, so this bug will hold those. Long term we will have a UI solution (bug 241705). I'll start off with www.hacksrus.com, host to the active development versions of chatzilla and venkman. Do we want to add that one (opening it up to all members of hacksrus, not just ginda), or figure people who want it are smart enough to add it on their own?
Assignee | ||
Comment 1•20 years ago
|
||
Should we add bugzilla.mozilla.org to the -BLACK-list? Makes testcases harder to deal with but too many people can add content here. Since you can't add script to a bug comment I think you'd have to be able to add an attachment to take advantage. But if you can add an attachment then it'd be easy. :-(
Comment 2•20 years ago
|
||
I have a list of extensions I install with every upgrade, so here are the ones bug 240552 affected: <http://www.mozcafe.com/> contains additional spellchecker languages, as well as a splash.xpi that changes the splash screen. <http://tecwizards.de/mozilla/> contains the "paste and go" extension. <http://3rdhand.info/mozilla/home/> contains the ever popular "Home button" add-on. <http://cgi29.plala.or.jp/%7Emozzarel/> contains a few add-ons, like the Bookmarks Link Checker, and the Browser Spell Checker (for text fields and web forums) and of course <http://white.sakura.ne.jp/%7Epiro/xul/xul.html.en> contains many extensions, like Tabbrowser Extension. I've also got a small site <http://ilias.ca/>, that hosts prefsize.xpi, which makes the preferences window resizable.
Comment 3•20 years ago
|
||
A few more: <http://skypilot.projectit.com/> hosts the skypilot theme <http://projectit.com/freestuff.html> hosts many themes, which seem to reside on <http://skypilot.projectit.com/>. <http://www.java.com/en/download/manual.jsp> Sun makes JRE available through XPI.
And of course, there's the Extensions Mirror by sboulema: http://www.extensionsmirror.nl/ Big vote now for that one.
Comment 5•20 years ago
|
||
Yep my site deserves a entry in the list i guess ;)
Pinball and GrayModern themes for Mozilla http://mozilla-themes.schellen.net/ Theme installation is blocked unnecessarily. Themes can't contain executable code when installed from a jar file. Anyway, until this issue is resolved, theme pages should be included in the whitelist.
Assignee | ||
Comment 7•20 years ago
|
||
InstallTrigger.installChrome() can install more than just skins, unfortunately, but I agree that themes are not as dangerous as the rest. I guess it wouldn't be too hard a change though.
Comment 8•20 years ago
|
||
My themes are located at http://www.cs.txstate.edu/~as1130/themes/*theme_name*/theme.jar, so would adding http://www.cs.txstate.edu/~as1130/themes/ to the whitelist be adequate? I use a redirection service (http://www.mozthemes.tk) that points to http://www.cs.txstate.edu/~as1130/themes/, but I don't know if the redirection service would mess up the XPInstall...
Comment 9•20 years ago
|
||
if my site http://www.extensionsmirror.nl/ gets added will http://extensions.extensionsmirror.nl and http://themes.extensionsmirror.nl also be white listed. if not please add them to the list
Comment 10•20 years ago
|
||
Many popular Firefox themes: http://home.comcast.net/~lynchknot/fthemes.html
Comment 11•20 years ago
|
||
My theme files are located at: http://www.tom-cat.com http://tom-cat.com http://www.catthief.com http://catthief.com I included both the root domain and the www. prefix, not knowing exactly how your whitelist is handled.
Comment 12•20 years ago
|
||
Nois 2.0 theme for both Firefox and Thunderbird http://www.deviantart.com/deviation/4266778/ http://www.deviantart.com/deviation/5706856/ http://www.deviantart.com/deviation/5316474/
Comment 13•20 years ago
|
||
Red Cats and Curacao themes for Firefox: http://www.bluecatsgraphics.com/
Assignee | ||
Comment 14•20 years ago
|
||
The problem with sites like http://isp.com/~member/ is that we can't whitelist just the one member. Do we trust that a scumware vendor wouldn't be willing to sign up for an account on one of our default whitelisted sites if that meant they could get around the restriction on pushing their wares? I think we need to give up on whitelisting additions, there are just too many sites to be fair. Letting theme installs bypass the whitelist restriction will help tremendously -- that should be step one. After that we should just get the UI implemented so people can easily restart blocked installs and whitelist their own favorites.
Comment 15•20 years ago
|
||
http://white.sakura.ne.jp/~piro/xul/xul.html.en ContextMenu Extensions Tabbrowser Extensions Sidebar Window for Mozilla & Netscape 7 Rewind/Fastforward Buttons + more (kinda hard to avoid this guy :) Chrispederick.com User Agent Switcher Web Developer (web dev toolbox supreme)
Comment 16•20 years ago
|
||
For plugins, I'd suggest adding the following: java.sun.com (Java) java.com (Java) parallelgraphics.com (Cortona VRML) host.cycore.net (Cult3D) bxwa.com (FastBid) ipix.com (iPIX) virtools.com (Virtools Web Player, untested and not on PluginDoc at present) Food for thought: iol.ie (ActiveX plugin, as much as I hate the thing) netscape.com (tends to have interesting XPIs from time to time) With the exception of iol.ie and netscape.com, all the sites above are vendor sites, so the concerns in comment 14 aren't so much of an issue. In the case of netscape.com, there have often been useful things like Flash XPIs there.
Comment 17•20 years ago
|
||
Is there a Firefox version of this bug?
Comment 18•20 years ago
|
||
My Silver Skin theme files for Firefox are located at: http://www.maurobartoccelli.com/silverskin/silverskin_1.5.jar http://www.maurobartoccelli.com/silverskin/Silverskin_2.0_(Firefox_0.9).jar http://www.maurobartoccelli.com/silverskin/Silverskin_2.1_Default_theme.jar
Comment 19•20 years ago
|
||
about theme installation: see Bug 246375
Comment 20•20 years ago
|
||
Not sure if this is still valid or not, but better safe than sorry, I suppose. Future versions of GrayModern for Firefox (and probably the new Modern theme as well) will be hosted on: http://www.finalstar.com/
Comment 21•20 years ago
|
||
Navigation toolbar and themes for my online classes: http://papyr.com
Comment 22•20 years ago
|
||
well, http://stud4.tuwien.ac.at/~e0225227/ would be nice... (mng xpi) ...but half of the students at tuwien can host webpages on this server. do you trust them? :)
Comment 23•20 years ago
|
||
I wouldn't mind having my site at http://ted.mielczarek.org/code/mozilla/ whitelisted, but I get the feeling that most people install the extensions from u.m.o anyway, so it's probably not a big deal.
Comment 24•20 years ago
|
||
Well, Firefox now has a handy UI for adding items to your own whitelist. UMO is now on it, but *.m.o is not (to avoid bmo). Everyone is chipping in their favorite extension and theme sites, but I feel that the number of white listed sites should be pretty limited. At some point UMO will allow authors to upload updates to their extensions and themes. These will be verified by "staff" before it is approved to be listed. In other words, I don't think the white-list needs to contain anything other than UMO.
Assignee | ||
Comment 25•20 years ago
|
||
wontfix, instead we need a decent UI (such as the one Firefox has added) that lets people create their own custom whitelist. See also bug 246375 (don't require whitelisting for theme installs).
Status: NEW → RESOLVED
Closed: 20 years ago
Resolution: --- → WONTFIX
Updated•9 years ago
|
Product: Core → Core Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•